8 Replies Latest reply: Dec 14, 2012 12:08 AM by PeterHuynh
fkick1 Level 1 Level 1 (50 points)

Hi All,

 

I've got LDAP setup on my mac mini server with OD. Right now I've got users setup in multiple groups for filesharing priviledges via Workgroup Manger. I'm wondering if theres a way to set the LDAP searchbase to only search for members within the same group.

 

For example, I currently have the search base set for

 

cn=users,dc=example,dc=com

 

but I'm looking for a way to limit the results so only users in cn=groupname1,cn=groups,dc=example,dc=com would show (that would be users in groupname1).

 

Is this possible?

 

Thanks!


MAC MINI SERVER (LATE 2012), OS X Mountain Lion (10.8.2), ios 6.0.1
  • 1. Re: Search for user in group via LDAP
    JaimeMagiera Level 2 Level 2 (305 points)

    A little clarification needed... all users of that group? (just get the group members) or a particular user of that group? (test if a user is a member of that group)

  • 2. Re: Search for user in group via LDAP
    fkick1 Level 1 Level 1 (50 points)

    Thanks for getting back to me Jaime.

     

    Lets say usertA belongs to group1, but that I have userB through userF that may belong to groups2 through group3.

     

    I want to set usertA's LDAP access so that they can only see the other users in group1 but not groups2 and groups3. The same is true for the other users. If there are four users in group3, I want them to see each other but not the users in groups1 and groups2.

     

    Right now, with the search base set for

     

    cn=users,dc=example,dc=com

     

    all users can see each other, regardless of which group their in. Is there a way to modify the search base to limit each user to only being able to see other users in their group?

     

    Thanks!

  • 3. Re: Search for user in group via LDAP
    JaimeMagiera Level 2 Level 2 (305 points)

    See eachother how?... like, when doing an ldap search with the ldapsearch and smiliar ldap tools? When connecting to the server via filesharing? or?

  • 4. Re: Search for user in group via LDAP
    fkick1 Level 1 Level 1 (50 points)

    Searching with Mac OS X or iOS Contacts/AddressBook apps

  • 5. Re: Search for user in group via LDAP
    JaimeMagiera Level 2 Level 2 (305 points)

    Maybe someone else has a solution, but I don't believe it's possible. Those apps are configured to query a number of attributes from the search base. That means you can't add your own filters. So, the solution would have to be server-side. Though you could modify the lower level LDAP to make such limitiations, there is nothing in the GUI that would allow such a setup and there is no guarantee that it would continue to work with the rest of OpenDirectory. One issue is that the server would need to have authenticated search queries enabled - otherwise, your limits in the Contacts app would be superflous, because any other app or ldap search tool could find the users and that wouldn't be very secure.

     

    You could create multiple domains and limit the search base to those domains (with authentication)

  • 6. Re: Search for user in group via LDAP
    fkick1 Level 1 Level 1 (50 points)

    Ok, so nothing as far as configuring the search base utiliting "ou" commands or being able to setup organizational units on the OS X Server side?

  • 7. Re: Search for user in group via LDAP
    JaimeMagiera Level 2 Level 2 (305 points)

    Well, it depends on how technical you want to get. Yes, you can use OUs in the search base of Contacts.app. However, you can only create OUs on the server side via 3rd party apps that write directlly to the LDAP tree  (ldapadd, ldapmodify, etc.) or edit the raw files. There isn't anything in the Server.app GUI to do that. In general, OpenDirectory does not support creating OUs out of the box. So, you'd be winging it. Here's a doc that outlines the procedure... http://publishing.yudu.com/Library/Avczi/prueba/resources/20.htm

  • 8. Re: Search for user in group via LDAP
    PeterHuynh Level 1 Level 1 (0 points)

    With OpenLdap server I can create ACLs (Access Control List)  to grant user's permisions but I tried with Apple OD, it did not work.  Has anyone  tried creating policy/ACL in OD or found  document guiding that?